Cybercrime & Vulnerability Issues: What Emergency Managers Need to Know North Carolina Emergency Management Association Spring Conference, Wednesday, 2015-03-25

Jim Duncan Security Engineer Juniper Networks Secure Development Lifecycle Program

Brief Biography

Subject-Matter Expert on software vulnerabilities & incident response • • • Currently working on prevention of flaws (Juniper SDL program) Previously, product-security and cyber-security incident responder • • • • • Juniper, BB&T, Cisco, Penn State University, Old Dominion University TRANSITS Instructor – helping National CSIRTs in emerging economies Participant in multiple IRT and cybercrime-fighting forums (FIRST, ICASI) Critical Infrastructure Protection evangelist (NIAC VDF, CVSS, ISACs) I’m the guy you want to have sitting in the exit row on your flight!

(Also soccer referee, parliamentarian, piano technician, pistolsmith, etc.)

Why Am I Here today?

Impart a framework for thinking about cyber systems, threats, remedies • • Cybercrime and vulnerabilities are here to stay • • This will not be yet another trend report Intended as a complement to what you already heard from Tim Brown Complexity – the Internet of Things – growing without bound • Implications for interactions with other disciplines both exciting and scary • • Security,

if any

, is frequently low priority, or omitted from consideration entirely Definitely no security in “Version 0.1”, which is what first responders get to use!

• Technology is just a tool, you should not need to be an expert in it • How many of you are well-versed in internal combustion?

Problems

Nature of Cybercrime

Cybercriminals think of themselves as legitimate business people • • • • • • • Amazing parallels to counterfeiting of old: front office, back office, etc.

Well-financed, distributed, smart, not greedy (mostly) Misalignment of cultural expectations is a complicating factor • Definitions of “crimes” vary from place to place, hard to get support Resourceful: example of CAPTCHA workaround Well-researched: example of bank phishing of local church officials

Follow the money and/or spirit:

motivations explain a lot

All of the above apply to nation-state and populist activities, too!

Confidentiality/Privacy/Reputational Threats

Every misdeed I see online has an analog in the real world • • • SWATting and EAS hijacks: not much help here except the obvious D0Xing of staff and officials – Internet embarrassment is deadly • Teach staff how to protect themselves and their property online if you expect them to protect other people’s stuff online.

• Consider reputation-monitoring services and purchasing extra domains Monitor and prevent exfiltration of data in your stewardship • • •

Don’t assume data was erased

Use full-disk encryption and test it – it can never be completely erased Consider reputation-monitoring services for this as well

Telecommunications Threats

Abundant prior art proves that in-band signaling is a bad, bad idea • • DoS • • • can’t be prevented, but often it can be managed Various services for ensuring against a DoS, or mitigating it once underway Work with your ISP (maybe more than one ISP) Make sure you have experts involved Telephony DoS is old, but new again • • • • Multiple efforts in multiple countries to improve technological response “Honeypots” deployed to look for TDoS, do-not-call violations, other errors VoIP is exciting, isn’t it? Yeehaw!

Fundamental flaw: circuit-switched v. packet-switched security models

Transportation Threats

We’re a long way away from carburetion and breaker points • • • GPS spoofing and jamming • • Documented that thieves are using spoofing to hide stolen vehicles Florida motorist operated a cellphone jammer from his car during his daily commutes to force other drivers to put down their cellphones • Easy to imagine similar stunts to fraudulently redirect consumers away from competitors’ gas pumps or (pick a retail industry) How do you know your GPS is receiving correct data? Anyone?

Highway sign hijacks are clever, but what if they are subtle?

• Instead of “zombie” alerts, consider believable “Detour via…” instructions

Environmental Threats

There’s a reason armored vehicles don’t have power windows • • EMP and solar flares • • Really naïve in this area, despite decades of study Recent work very revealing and alarming, but seems to be ignored Structural HVAC, building & power controls, SCADA systems • Never underestimate the potential for someone to inadvertently connect these systems to something they shouldn’t be connected to • • And never underestimate the ability of criminals to find them (e.g., Target) What do you do when your EOC gets too hot? Too cold? Too wet? Dry?

• Example of first World Trade Center attack in the early 1990s

Solutions

Occam’s Razor, Hanlon’s Razor, etc.

“

Don’t quote other people; tell me what you know.

” [Samuel Johnson] • • • Occam’s Razor: “When considering multiple possible causes, select the cause requiring the least complexity” • Not guaranteed to be correct, but likely Hanlon’s Razor: “Never attribute to malice that which is adequately explained by stupidity.” Duncan’s Corollary: “Never attribute to an attack that which is adequately explained by negligence.” • • “Negligence” can be misconfiguration, software flaw, or user error Example of inadvertent internally sourced “attack”

Avoid Bystander Effect/Diffusion of Duty

“Why didn’t somebody

do

something?!” • • • First responders would never do this in the real world, but they let it happen in the cyber world: Don’t assume someone else will respond!

Ask questions. Lots of questions. Lots and lots and lots of questions.

• • Recipients of questions: be professional and answer appropriately Consider documenting individual findings in “security observation reports” Advocate for proper brainstorming practices • • • In the first round, get the ideas out there; no vetting whatsoever Second round, go back and evaluate the first-round responses Disciplined facilitator is sometimes needed for this to be effective

Replace Blacklisting with Whitelisting

• • • Blacklisting: “That, which is not expressly denied, is permitted.” • • Far too many systems start out this way Painful to go back and close up unnecessary ports/services/features Whitelisting: “That, which is not expressly permitted, is denied.” • • Much safer Start with all services disabled, then enable only those that are needed Example: Instead of allowing browsing everywhere, and then blocking access to a few pages, block all pages except for a selected few.

Get Smart and Stay Smart on Crypto

“Gosh, crypto is hard!” • • Doesn’t have to be difficult to understand the basics • • • • • Key length is important: long, but not too long (time is an issue, too) Key space should be as large as possible (or reasonably pragmatic) Don’t keep plaintext and encrypted text around, close by Repetition means something failed; algorithm selection is important Watch out for so called “security improvement trade-offs” • Example of password-typing alternate-left right scheme (“key space”, above) Full-disk encryption is worth mentioning again, at this point

Understand Sphere of Action

In both cyber and physical realms • • • Expectations and assumptions creep into our thought processes, distort our reasoning, and cause us to produce incorrect results Cyber threats are global but are not the typical disasters you handle • Example of NRP and Lori Bush, “There’s the hurricane/forest fire/flood!” Cultural & linguistic differences affect results • • • • Example of CAPTCHA workaround, earlier Mismatch of importance regarding Asia/Pacific “loss of face” Example of encipher/decipher v. encrypt/decrypt Time and date formats (ISO-8601), ICS phonetic alphabet

Policies and Procedures

Valuable tools for increasing and maintaining awareness • • • •

No excuses

for not having Acceptable Use Policies, Password Policies, Data Retention Policies, and so forth; write’em down, publicize them Don’t expect staff to pick good password management schemes; research apps, make recommendations (working group for NCEMA?) Consider implementing two-factor access schemes Remember that policies and guidelines should be viewed primarily as tools for education; enforcement comes only when education fails

Figure Out What Happened Later

Don’t worry about culpability in the midst of an incident • • • “Accountability is the price of openness.” [Daniel E. Geer, Sc.D.] No one builds a perfect system, so institute appropriate logging and auditing mechanisms so that after something goes wrong, you can backtrack to figure out what happened Study Ken Thompson’s “Reflections on Trusting Trust” • • 1984 ACM Turing Award lecture Brilliant, short (3 pages) explanation on how all systems are flawed because • humans are involved, and cannot be separated Completely destroys the “Many eyes makes good security” argument

Don’t Attempt To Build Perfect Systems

“The perfect is the enemy of the good enough” (or similar) • • • Lots of unnecessary effort is expended on lofty conceptions of the really cool and awesomely beautiful solution to a basic problem Don’t build seamless systems, especially in an emergency “Make them

seamful

, but with beautiful seams.” [Mark Weiser] • Example from ruggedized telecom-in-a-box in Hurricane Katrina

Be Part of the Solution, Not the Precipitate

• • • Encourage proper brainstorming • • Need sector-specific experts like you to think up interesting problems We don’t know the stuff that you don’t even know you already know Roll up the results into tabletop exercises Collaborate with cybersecurity incident responders • • • We both learn from each other We can help with cross-sector exercises We’ll know who to call when we find something important

Anything Else?

• Q&A • • Contact Information: Jim Duncan, [email protected]

, +1 919-608-0748

Thank You!